Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.3187 Multiple serious vulnerabilities fixed in IBM DB2 14 December 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM DB2 Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Root Compromise -- Existing Account Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote with User Interaction Execute Arbitrary Code/Commands -- Existing Account Overwrite Arbitrary Files -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2017-1520 CVE-2017-1519 CVE-2017-1451 CVE-2017-1439 CVE-2017-1438 CVE-2017-1434 CVE-2017-1297 CVE-2017-1134 CVE-2017-1105 CVE-2016-9842 CVE-2016-9841 CVE-2016-9840 CVE-2016-4463 CVE-2016-2985 CVE-2016-2984 CVE-2016-2183 CVE-2016-2118 CVE-2016-2115 CVE-2016-2114 CVE-2016-2113 CVE-2016-2112 CVE-2016-2111 CVE-2016-2110 CVE-2016-0729 CVE-2016-0392 CVE-2016-0361 CVE-2016-0263 CVE-2015-7560 CVE-2015-5370 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21994955 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 11.1 Flash (Alert) Document information Software version: 11.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 1994955 Modified date: 12 December 2017 Abstract This document contains a list of fixes for Security and HIPER APARs in DB2 Version 11.1. Content A set of security vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these issues. The affected DB2 UDB for Linux, UNIX, and Windows products are: DB2 Connect Server (all Editions) DB2 Developer Edition DB2 Enterprise Server (all Editions) DB2 Express Server (all Editions) DB2 Workgroup Server (all Editions) DB2 Client component and DB2 products or components other than those listed above are not affected. Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 Version 11.1 fix packs. Select a Fix Pack: 1 2 m2ifx001 m2ifx002 DB2 Version 11.1 Fix Pack m2ifx002 HIPER APARs IJ00193 PARALLEL IXSCANS FOR COLUMN-ORGANIZED TABLES MIGHT CAUSE AN ABEND/ WRONG RESULTS IF UPDATE ACTIVITY OCCURS IN THE SAME CONNECTION IT21948 DB2 MAY RETURN WRONG RESULTS WITH ORACLE COMPATIBILITY AND SUBSTR IT21985 DOING LIKE ON A CODEUNITES32 FIXED LENGTH COLUMN IN THE COLUMNAR ORGANIZED TABLE COULD RETURN AN INCORRECT RESULT IT22013 WRONG RESULT IS POSSIBLE WHEN CODEUNITS 32 IS USED IN A ROW DATA TYPE ASSIGNMENT AND CAST IS USED IT22345 WRONG RESULT WHEN EXPRESSION ON JOIN COLUMN IT22386 DB2 : IF ANY COMMAND WITH RECLAIM EXTENTS OPTION IS RUN ON AN MDC TABLE DURING A BACKUP, A ROLLFORWARD ON IT COULD FAIL IT22750 POSSIBLE WRONG RESULTS WITH VARCHAR_FORMAT WHEN USING 'DY DDD YYYY' FORMAT IV97845 A QUERY AGAINST COLUMNAR ORGANIZED TABLE AND ARITHMETIC ON BOTH TIME AND DECIMAL DATATYPES MAY RETURN INCORRECT RESULT IV99561 RARE TRAP DURING CDE HASH JOIN WHEN DATA VOLUME ON THE INNER OF THE JOIN IS EXTREMELY LARGE Back to top DB2 Version 11.1 Fix Pack m2ifx001 Security APARs IT21140 SECURITY: ESCALATION TO ROOT VULNERABILITY IN DB2. IT21347 SECURITY: CONNECTION STRING DISPLAYED IN ERROR MESSAGE IT21364 ESCALATION TO ROOT VULNERABILITY IN DB2. IT21455 SECURITY: DB2CONNECT SERVER CAN CRASH UNDER SPECIFIC CONDITIONS. IT21458 SECURITY: DB2 CAN BE USED TO OVERWRITE ARBITRARY FILES OWNED BY DB2 INSTANCE IT21459 SECURITY: USER WITHOUT PROPER AUTHORITY CAN ACTIVATE DATABASE. HIPER APARs IT18136 INSERT QUERY THAT HAS A COLUMN VALUE GENERATED USING TRIGGER COULD PRODUCE WRONG RESULTS OR SQL0407N IT19976 SQL QUERIES WITH IN OR NOT IN CLAUSE MAY PRODUCE INCORRECT RESULTS FOR A COLUMN-ORGANIZED TABLE IT20438 INCORRECT RESULT OR SQL0811N ARE POSSIBLE WHEN SQL CONTAINS SCALAR NOT EXISTS SUBQUERY IT20518 IN DPF, WHEN UNIQUE TQ IS PRESENT IN THE PLAN AND SPECIAL INTERN AL PERF OPT IS HAPPENING, POSSIBLE DUPLICATE VALUES RETURNED IT20720 TRUNCATING CAST TO (VAR)CHAR AGAINST A COLUMNAR ORGANIZED TABLE COULD RETURN DANGLING BYTE INSTEAD OF A BLANK CHARACTER. IT20786 INCORRECT RESULT POSSIBLE WHEN CASE AND ANOTHER PREDICATE HAVE THE SAME COMPARISON OPERATION IT21100 UPDATE OF UNIQUE COLUMNS MIGHT RESULT IN DUPLICATES IN A TABLE WITH A UNIQUE INDEX DB2 Version 11.1 Fix Pack 2 Security APARs IT17647 SECURITY: VULNERABILITY IN GSKIT AFFECTS IBM DB2 (CVE-2016-2183) IT20462 SECURITY: TSAMP PRIVILEGE ESCALATION VULNERABILITY AFFECTS DB2 (CVE-2017-1134) IT20562 SECURITY: DB2 CLP WILL TRAP IF IT IS PASSED A ROUTINE NAME GREATER THEN THE ALLOWED MAXIMUM LENGTH (CVE-2017-1297). IT20563 SECURITY: BUFFER OVERFLOW THAT COULD ALLOW A LOCAL USER TO OVERWRITE DB2 FILES OR CAUSE A DENIAL OF SERVICE (CVE-2017-1105). IT20566 SECURITY: DB2 IS AFFECTED BY VULNERABILITIES IN COMPRESSION ROUTINES. HIPER APARs IT17787 SQL STATEMENT WITH AN EXISTS PREDICATE AND A JOIN INVOLVING NON-DETERMINISTIC CORRELATED SUBQUERY MAY RETURN MORE ROWS IT17894 PREDICATE COMPARING SUBSTR ON CODEUNITES32 COLUMN IN THE COLUMN AR ORGANIZED TABLE TO HOST VAR COULD RETURN AN INCORRECT RESULT IT18021 INCORRECTLY GENERATED DERIVED PREDICATES MIGHT CAUSE INCORRECTQUERY RESULTS DUE TO TRAILING BLANKS IT18083 WRONG RESULTS AGAINST COLUMN ORGANIZED TABLE ARE POSSIBLE WITH EXPANDING JOIN PLAN IT18101 AN SQL STATEMENT IN A PARTITIONED DATABASE ENV CONTAINING THE ROW_NUMBER() OVER() OPERATION MIGHT PRODUCE INCONSISTENT RESULTS IT18170 WRONG RESULT IS POSSIBLE IF GENERATED ALWAYS EXPRESSION REFERENCES A BUILT-IN FUNCTION WITH MORE THEN ONE STRING INPUT IT18204 WRONG RESULT IS POSSIBLE IN ORACLE COMPATIBILITY MODE UNICODE DB WHEN COMPARING A CHAR COLUMN WITH A GRAPHIC CONSTANT IT18381 DB2 MAY RETURN INCORRECT RESULTS IF USING A CASE STATEMENT TO COMPARE FIXED CHAR/GRAPHIC STRINGS IN VARCHAR2 COMPATIBILITY MODE IT18502 DB2 MAY RETURN SQLCODE:-901 OR RETURN WRONG RESULTS ON QUERIES WITH PLANS THAT INVOVLE SORT ON AN ENCRYPTED DATABASE IT18506 DB2 CAN RETURN WRONG RESULTS WHEN USING THE SPECIAL REGISTER 'CURRENT DECFLOAT ROUNDING MODE' IN A QUERY IN AN MPP ENVIRONMENT IT18742 TRUNC ON MINIMUM INTEGER VALUE MIGHT RETURN 0 WHEN (VALUE, -X) IS DONE IT18797 PURESCALE: QUERY MIGHT RETURNS WRONG RESULT WHEN INPLACE (ONLINE) TABLE REORGANIZATION IS RUNNING IT19197 DB2 MIGHT PRODUCE INCORRECT RESULT WHEN EXECUTING XQUERY WITH MULTIPLE OR SUBTERMS IT19608 DB2 MAY CONVERT VIEW COLUMN TYPES INCORRECTLY OR RETURN SQL0418N UPON REVALIDATION OF A VIEW WITH UNTYPED EXPRESSIONS IT19796 COMPILED COMPOUND SQL OR A PL/SQL ANONYMOUS BLOCK CAN DELETE ALL ROWS OF A ON COMMIT DELETE ROWS TEMPORARY TABLE IT20463 INCORRECT RESULTS ARE POSSIBLE WHEN CONCURRENT QUERIES ACCESS COLUMNAR ORGANIZED TABLES AND USE CS ISOLATION IT20661 WRONG RESULTS MIGHT OCCUR WHEN SCALAR SUB-QUERY IS ON THE LEFT HAND SIDE OF A NOT IN PREDICATE IV91752 THE FIRST UPDATE STATEMENT FOR A COLUMN-ORGANIZED TABLE MAY IN RARE CASES CAUSE FUTURE QUERIES TO MISS SOME MATCHING RESULTS IV93080 WRONG RESULT IS POSSIBLE WHEN COLUMNAR TABLES ARE INVOLVED IN A PLAN WITH A UNION AND CSE IS PUSHED DOWN ON TO CDE Back to top DB2 Version 11.1 Fix Pack 1 Security APARs IT15579 SECURITY: DB2 IS AFFECTED BY OPEN SOURCE APACHE XERCES-C XML PARSER VULNERABILITIES (CVE-2016-0729) IT16324 SECURITY: DB2 PURESCALE AFFECTED BY MULTIPLE VULNERABILITIES IN GPFS IT17012 SECURITY: ELEVATED PRIVILEGES WITH DB2 EXECUTABLES (CVE-2016-5995) IT17530 SECURITY: DB2 PURESCALE AFFECTED BY A VULNERABILITY IN GPFS (CVE-2016-2119) HIPER APARs IT16112 A CORRELATED SCALAR SUBQUERY IN AN UPDATE STATEMENT MAY NOT CORRECTLY RETURN SQL0811N IT16385 DB2 DATA SERVER CLIENT SILENT INSTALL FAILS WITH ERROR: PRODUCT: IBM DATA SERVER CLIENT - DB2COPY1 -- ERROR 1314 IT16656 SQL0801 AND WRONG RESULTS FROM STDDEV_SAMP, VARIANCE_SAMP, COVARIANCE_SAMP WHEN USED IN AN OLAP SPECIFICATION IT16703 DB2 MAY RETURN INCORRECT RESULTS WHEN USING STRING EQUALITY PREDICATES CONTAINING DIFFERING CODE UNITS IT16869 SELECT ROW CHANGE TOKEN WILL RETURN WRONG RESULT WHEN USINGRIDSCAN (ROW IDENTIFIER SCAN) IT16893 ONLINE BACKUP WITH COMPRESSION AND ENCRYPTION MAY CREATE A CORRUPTED BACKUP FILE IT17179 IF ARRAY USED IN AN OPEN CURSOR IS MODIFIED THEN WRONG RESULT OR A TRAP ARE POSSIBLE IT17452 WRONG RESULT IN STORED PROCEDURE QUERY WHEN ADD/DROP CHECK CONSTRAINT IT17458 IN DB2 DPF, POSSIBLE WRONG RESULT WHEN OUTER JOIN PREDICATE COL1= COL2 AND BOTH COLUMNS ARE FROM THE OUTER TABLE IT17489 SELECT AGAINST AN MDC TABLE WITH A RANGE PREDICATE IN SMP MIGHT RETURN A WRONG RESULT IT17556 INCORRECT RESULTS ARE POSSIBLE WHEN JOIN AGAINST CDE TABLES IS DONE AND AN UNDOCUMENTED JOIN SUPPORT REGISTRY VARIABLE SET IT17941 POSSIBLE WRONG RESULTS WHEN THE INPUT PARAMETERS OF AN INLINED SQL SCALAR UDF CONTAINS AN OLAP SPECIFICATION IV90269 QUERIES WITH MULTIPLE OLAP CLAUSES AND DISTINCT AGAINST COLUMN ORGANIZED TABLES COULD RETURN WRONG RESULTS IV90750 INCORRECT RESULTS ARE POSSIBLE WHEN MULTIPLE ROW_NUMBER() , INLINED SQL SCALAR UDF AND COLUMN ORGANIZED TABLES ARE PRESENT DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?uid=swg27007053 The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWjG60Yx+lLeg9Ub1AQjxaw//S4Gyk0qMYVLv0qb9ifZx/8Vrib1kYGLp RjrNV+RbBDhGB2BqkIeXnZv3WOZBE4gt7rfb34CGusdd4gAaFlQNs3sD2h9q82GS CcMso3c72oDjJ41W6L69SkT+H21IOx4Hk4KE9IL0SpX0MgTBeilMsbNbdnok/dMF 1FIb0403yztOTMqRRNDiABnz+xhcV0Fmbrn9YFhhhKB+n52S+pr/vnVb6VXiQdjS MIAVT/8s7lvqKqV7zAlwKmGPzCu7BraTCf18OXEGnTu429VF6pxNQHNxJO7asSLf KiQ3Eyqjxs11ArQppEXLAT/15P+O/HT3eiPUdnHcbNHh7pxZ3UjHIaCUHlpU2X/S 4on9nimo1pFtNUtWDXiwgL/1DFo0MtNPoLqUF4QeaUk/d8GQfW6WFKxgUrUHXDpo LMQn4Dq1Y22wroOGjYgKBquK6A/FCY7NKiHfX9Qo4LM6RPPVCYF2DX5tqep/BJs5 ZeZzXPjoWyUdUir5E3yt13pDF89xamTDP4fzzLbB6Aj/j8KjmRKAapUqsVwP6JcI rNyLFkFkNZRLNgrBcpc5ymfmYgM98cQWBnM2XceAFto8ifCpPxCvDskseYZN2iQT UQN7OAyAlnFzznBO1JIXCd9XkafwbdRPPnQuypdiT36fY/a1GE8gJ5J6Zp7VUex9 9SP3Xk2bfP4= =gQ7s -----END PGP SIGNATURE-----